December 23, 2015 By Rick M Robinson 3 min read

The holiday season is here. For chief information security officers (CISOs), as for Santa and his elves, it is the busiest season of the year.

For nearly all organizations, this season marks the run-up to an end-of-the-year security audit, a time to review and assess the organization’s cybersecurity progress and posture. And for retailers, it is also the busiest season of the year — one filled with its own security challenges.

A Season for Looking Back — and Ahead

The holidays are a time for making lists — not only of who’s been naughty or nice in the past year, but also for making resolutions on how best to meet the next year’s challenges. For CISOs, this means assessing and evaluating the security picture over the last 12 months, double-checking compliance needs and evaluating which issues are likely to be prime considerations next year.

CISOs will need to call on their elves to assist in these big tasks. These helpers may come from both inside and outside the organization, ranging from members of the security team and the rest of IT to representatives of other business units (IT’s internal customers), business partners and the broader cybersecurity community. Whether or not an external year-end audit is performed, WindowsObserver.com offered useful advice that goes beyond any specific operating system.

The first item on the CISO holiday checklist is looking back at how the security landscape developed in 2015. This means analyzing everything from internal event logs that give a highly granular picture of the organization’s own experience to surveying global trends that are shaping security. What threats has the organization faced and how effectively has it responded to them?

The second big item on the checklist is legal and regulatory compliance, a factor in all industries and absolutely critical for some, such as finance and health care. Official rules can be a pain to develop and implement, but most of them have been well-crafted by security professionals, and compliance requirements play a big part in building shared standards and best practices. But since new laws and rules often take effect at early in the new year, compliance must be not only reviewed, but also updated.

Finally — last but by no means least — this is the season to prepare for the year ahead. What new potential threats are looming, and what tools are available to protect against them? For example, Wired noted that an emerging threat as we head into 2016 is malvertising, innocuous-seeming online ads placed on popular websites through third-party brokers that conceal malware. The victim does not even need to click on the ad; simply visiting major media sites can expose users.

Malvertising is outwardly a consumer threat, but in a bring-your-own-device (BYOD) world, what attacks employees as consumers can also attack the enterprise. And for organizations with advertising-supported websites, inadvertently hosting malvertisements is a huge security threat and an emerging challenge that must be met.

In short, the holiday checklist for CISOs includes thinking ahead to who may be naughty or nice next year.

For Retail CISOs, Unique Holiday Challenges

All organizations face these challenges, though many benefit from a holiday slowdown or even scheduled downtime. Let’s face it, a lot of people — though not the security team, of course — can and do “check out” a bit during the holidays.

Not so for the retail sector, including firms and charitable nonprofits that are not retailers themselves but whose business follows the retail cycle. This cycle famously (or infamously) peaks during the holiday season. So do its cybersecurity concerns.

Not only are people shopping more, but they are doing it amid more hectic surroundings and often going outside their familiar safe zones to look for that special gift. That means potential security risks spike even more than overall traffic does. Retail-related CISOs will be very busy indeed, earning some holiday cheer they won’t even be able to enjoy until after the season is over.

The good news, in and out of retail, is that this busy security season will soon be over. Security leaders who meet the seasonal challenges will be heading into 2016 with their organization’s security posture in good shape. That could give them plenty to celebrate when this time rolls around again next year.

Read the complete IBM research report on security trends in the retail industry

More from CISO

CISOs drive the intersection between cyber maturity and business continuity

4 min read - The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility.The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more cyber mature does not make organizations immune to threats; it makes them more resilient when they occur, enabling critical business continuity.” High-cyber-maturity organizations increasingly integrate cybersecurity…

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today